Recently, there has been a resurgence of interest in electric power generation using nuclear power as an alternative to fossil fuel-based electric power generation. In the United States, this resurgence of interest has been facilitated in part by the Nuclear Power 2010 Program established in 2002. The Nuclear Power 2010 Program is a joint government/industry effort to identify sites for new nuclear power plants and to develop and bring to market advanced nuclear plant technologies. The Nuclear Power 2010 Program was instituted by the Nuclear Regulatory Commission (NRC), which regulates the nuclear power industry in the United States and licenses the operation of nuclear facilities. Operators of nuclear facilities are therefore often referred to as “licensees.”
Currently, there are just over 100 commercial nuclear power plants operating in the United States, producing a total of about 800 TWh of electricity per year. Commercial nuclear power plants in the United States are so-called “light water reactors,” which are nuclear reactors that use ordinary water as a coolant and neutron moderator, as opposed to heavy water (deuterium oxide) reactors that are more common outside the United States.
About two-thirds of the commercial nuclear power plants in the United States are pressurized water reactors (PWR), while the remaining one third are earlier-generation boiling water reactors (BWR). In a BWR, water in the primary coolant loop (i.e. water that is pumped into the reactor core) boils to form steam that is used to power a generator. In contrast, in a PWR, pressurized water is used in the primary coolant loop, which prevents the water from boiling. Heat exchangers allow the heated water in the primary coolant loop to heat water in a secondary coolant loop that boils to form steam that is used to power the generator. Accordingly, many commercial nuclear power plants operating in the United States have designs that are at least somewhat similar to other commercial nuclear power plants in the United States.
One reason interest in nuclear power has increased is that, unlike coal-fired electric power plants and other fossil fuel based power plants, nuclear power plants may not emit harmful substances, such as carbon compounds, sulphur oxides, heavy metals, fly ash, and other such materials into the atmosphere as a by-product of normal operation. Moreover, nuclear power plants may be more cost-effective and efficient, and maybe capable of generating considerably more power than other “green” energy technologies, such as solar and wind-based electric power generators.
However, nuclear power plants have a drawback in that they require radioactive materials to operate. To mitigate the chance of accidental release of radioactive materials, nuclear power plants are designed to keep the radioactive materials within closed-circuit systems, with multiple redundant systems designed to reduce the possibility of accidental release.
Because of the presence of radioactive materials at a nuclear power plant, the physical security of such sites has long been a priority for both nuclear power plant operators and regulators. Nuclear power plants are designed to withstand man-made perils, such as airplane accidents, as well as natural disasters, such as hurricanes, tornadoes and earthquakes. Nuclear terrorism is of particular concern to both government and industry, due to the concern over a radioactive release at the power plant site itself, and the concern that radioactive materials could be removed and released at a more heavily populated location or, in a worst case scenario, used as a component in a weapon.
Recently, there has been an increase in the concern over not just the physical security of nuclear power plants, but also in their security against computer-based threats. Indeed, in 2010, the Stuxnet computer worm was identified as a specific computer-based threat to nuclear power plants. The Stuxnet worm is a form of computer virus that spies on and reprograms industrial systems. It was reportedly specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes, and was confirmed to have affected at least one nuclear power plant outside the United States.
In the United States, the NRC has already directed nuclear power plant operators, or licensees, to develop and implement a plan for the protection of digital computer and communication systems used in nuclear power plants. In particular, the NRC has promulgated Title 10, Part 73, of the Code of Federal Regulations, entitled “Physical Protection of Plants and Materials.” Section 73.54 of the Code of Federal Regulations, entitled “Protection of Digital Computer and Communication Systems and Networks,” requires that licensees provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the threats described in 10 CFR Part 73, Section 73.1, which are used to design safeguards systems to protect against acts of radiological sabotage and to prevent the theft or diversion of nuclear material (referred to as the Design Basis Threats (DBT)).
In particular, nuclear power plant operators are required to protect certain digital computer and communications systems and networks in nuclear power plants from those cyber attacks that would modify, destroy, or compromise the integrity or confidentiality of data and/or software, deny access to systems, services, and/or data, and/or impact the operation of systems, networks, and associated equipment. In particular, the operators are required to protect digital computer and communications systems and networks that perform safety-related and important-to safety functions, security functions, emergency preparedness functions, including offsite communications, and support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions. These functions are referred to collectively as the “SSEP functions.”
The applicable regulations also require that each licensed nuclear power plant operator submit a cyber security plan for Nuclear Regulatory Commission review and approval. Current applicants for an operating license or combined license must submit a cyber security plan. The cyber security plan must establish a means to achieve high assurance that certain digital computer and communication systems and networks associated with SSEP functions are adequately protected against cyber attacks up to and including the Design Basis Threats (DBT). In particular, digital computer and communication systems and networks associated with SSEP functions that are identified as Critical Digital Assets (CDAs) must be protected against threats identified as design basis threats.
The Nuclear Energy Institute (NEI) is a policy organization that operates on behalf of the nuclear power industry. The NEI was formed, in part, to encourage the safe utilization and development of nuclear energy, and to support the nuclear energy industry by providing a unified nuclear energy industry approach to facilitate safety, reliability and economic efficiency in nuclear power plant operations. As an advisory organization to the nuclear power industry, the NEI has recommended that nuclear power plant operators implement and document the “baseline” cyber security controls described in Section 3.1.6 of the document entitled “NEI 08-09 Revision 6 Cyber Security Plan for Nuclear Power Reactors” promulgated by the NEI (hereinafter, “NEI-08-09”), and implement and document a cyber security program to maintain the established cyber security controls through a comprehensive life cycle approach as described in Section 4 of NEI 08-09.
NEI 08-09 Section 4 establishes the programmatic elements recommended to maintain cyber security throughout the life cycle of Critical Digital Assets (CDAs). The elements of NEI 08-09 Section 4 are intended to provide high assurance that CDAs associated with the SSEP functions are adequately protected from cyber attacks up to and including the DBT. A life cycle approach is recommended by the NEI consistent with the controls described in Appendix E of NEI 08-09, Revision 6. This approach is intended to ensure that the cyber security controls established and implemented for CDAs are maintained to achieve a nuclear plant's overall cyber security program objectives.
NEI 08-09 addresses not only the security of existing digital assets, but also the security of proposed new digital assets, or existing digital assets that are undergoing modification.
Accordingly, nuclear power plant operators have been charged with the task of identifying those systems in their nuclear power plants that relate to SSEP functions, identifying components of those systems that are digital assets, identifying which of those assets are Critical Digital Assets, establishing appropriate cyber security controls for each of the CDAs, implementing the established cyber security controls, and documenting that the established cyber security controls have been implemented, both for existing and new or upgraded components.
These tasks are non-trivial, and can only be completed in a majority of cases during periods when the nuclear power plants are off-line, which usually occurs only for scheduled maintenance. Furthermore, the NRC has granted nuclear power plant operators a limited amount of time to implement the required security controls. Thus, nuclear power plant operators are currently faced with a serious, but necessary, burden to implement the requirements of the NRC with regard to existing equipment in a timely manner.
In addition, nuclear power plant operators will be faced with a continuing burden to ensure that new and/or upgraded equipment is appropriately screened to determine if it is or has become a CDA, and to take appropriate steps to identify and implement appropriate cyber security controls for such new and/or upgraded equipment.